Software security assurance for embedded software is a big challenge. This article on embedded systems and automobile security summarizes it nicely: White hats are increasingly looking beyond PCs and data centres for security vulnerabilities that have plagued the computer industry for decades and focusing on products...

White hats are increasingly looking beyond PCs and data centres for security vulnerabilities that have plagued the computer industry for decades and focusing on products like cars, medical devices and electricity meters that run on tiny computers embedded in those products.

For embedded software teams to become the target of hackers is a big change. While website owners and developers of cloud applications or PC software are used to all this attention from hackers, most embedded software teams are not. The same Globe & Mail article outlines the challenges for automotive manufacturers quite clearly.

Cars also use the same wireless technologies that power cell phones and Bluetooth headsets, which makes them vulnerable to remote attacks that are widely known to criminal hackers.

In addition to designing viruses to harm passengers in infected vehicles, the academics were able to remotely eavesdrop on conversations inside cars, a technique that could be of use to corporate and government spies.

Even low-end cars now have 30 to 50 ECUs [Electronic Control Units] embedded in the body, doors, dash, roof, trunk, seats, and just about anywhere else the car’s designers can think to put them. That means that most new cars are executing tens of millions of lines of software code, controlling everything from your brakes to the volume of your radio.

That amount of software complexity means more risk, since the attack surface area is becoming quite large in cars, especially as they become more network connected. Tens of millions of lines of code is a lot of software, and presents significant challenges for automotive OEMs and their supply chains to balance risk mitigation with normal business pressures around time-to-market and the need for more functionality.

This is one of the reasons automotive companies are rapidly looking to enhance how they address software security and quality. There are ways source code analysis helps automotive companies, but in many ways the challenges are very similar to any large embedded system, whether it’s military, aerospace, medical device, or a smartphone.

As an additional resource, here’s a short webinar on software threat modeling with our partner Security Innovation that outlines how embedded systems developers can take steps to mitigate these risks.

About the Author:
Brendan Harrison

I'm Klocwork's VP of Marketing and responsible for all of the company's product and channel marketing, communications, press relations, and demand generation activities. I've been in the development tools space for almost a decade, so will try to post interesting content related to industry or technology trends that I'm seeing.

At the recent Consumer Electronics Show in Las Vegas, automotive manufacturers focused a lot of attention on the new, improved computers they will be installing in their cars in the coming years. This will make upcoming models far more vulnerable to potential hackers, putting car owners in serious danger...

Last week, we held a joint webinar with QNX Software Systems discussing how static analysis plays a key role in automotive functional safety and ISO 26262 (you can watch the recording here). We had developers, testers, architects, and students attend from all over the world and they all had one interest in common: better delivery ...

Even as the Internet of Things is expected to see rapid growth in the next few years, the security threats associated with more connected devices are growing as well. And the challenges for developers of embedded software in such devices are myriad...